CVE-2026-44237
OAuth2 Token Bypass in FreePBX
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freepbx | freepbx | to 17.0.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1390 | The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in FreePBX's API module (prior to version 17.0.8) involves improper validation of client credentials during OAuth2 token issuance. Specifically, the validateClient() method in ClientRepository.php always returns true, allowing anyone who knows a valid client_id to obtain OAuth2 access tokens without needing the correct client_secret.
The client_id is a randomized 64-character string that can only be obtained through an authenticated Administrator Control Panel session or access to a backup.
This flaw enables attackers to bypass OAuth2 authentication and gain unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in FreePBX's API module allows unauthorized access to OAuth2 access tokens, potentially enabling attackers to gain full read/write access to all GraphQL mutations and queries if the default gql scope is enabled.
Such unauthorized access could lead to exposure or manipulation of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal and health information.
Mitigations such as updating to version 17.0.8 or later, restricting access to the Administrator Control Panel, denying access from hostile networks, and securing backups are necessary to maintain compliance and reduce risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the version of the FreePBX API module to ensure it is 17.0.8 or later, as versions prior to 17.0.8 are vulnerable.
Since the vulnerability allows bypassing OAuth2 authentication with knowledge of a valid client_id, monitoring for unusual OAuth2 token issuance without correct client_secret validation could indicate exploitation attempts.
No specific detection commands are provided in the available resources.
How can this vulnerability impact me? :
An attacker who knows a valid client_id can bypass OAuth2 authentication and obtain access tokens without the correct client_secret.
With these tokens, the attacker can gain full read and write access to all GraphQL mutations and queries if the default gql scope is enabled.
This could lead to unauthorized access, data manipulation, and potentially full control over the FreePBX system's API functions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-44237 vulnerability in FreePBX's API module, you should update the API module to version 17.0.8 or later.
- Restrict access to the Administrator Control Panel to authorized users only.
- Deny access to the Administrator Control Panel from hostile or untrusted networks.
- Maintain secure control of backups to prevent unauthorized access to client_id values.